'Critical' Off-Cycle IE Patch Released

Microsoft today released its second "critical" off-cycle patch for Internet Explorer this year.

The patch (MS10-018) is said to fix some 10 vulnerabilities in Microsoft's Web browser. It addresses a remote code execution (RCE) vulnerability that can be exploited if a user clicks on a corrupt Web page during an IE browsing session. The patch is a cumulative update that was released earlier than usual. It was originally planned for Microsoft's Patch Tuesday April security rollout.

Redmond explained that the fix is "critical for all supported releases of Internet Explorer." Those supported browsers include IE 5.01, IE 6 Service Pack 1, IE 6 on Windows clients, and IE 7 and 8 on Windows clients.

For Windows servers, the ratings for this security bulletin slip to "important" for IE 6 and "moderate" for IE 8.

This bulletin will fix the highly publicized zero-day vulnerability for Internet Explorer that was originally outlined in Microsoft's March security update, followed by a workaround released a week later. In addition to fixing what was addressed in earlier advisories, the bulletin will fix nine other "privately reported" vulnerabilities in IE.

IT pros who used Microsoft's workaround should start from scratch when installing this latest patch, according to Jason Miller, data and security team manager at Shavlik Technologies.

"If administrators used any of the workarounds suggested in the [March] security advisory that prompted this out-of-band release, it is important for them to un-apply the workarounds," he said. "This will restore functionality that was lost due to the temporary fix."

This latest out-of-band patch may reflect an increased tendency on the part of Microsoft to issue patches outside the normal monthly rollout cycle. In both 2008 and 2009, Microsoft released only two out-of-band security bulletins to fix critical vulnerabilities, yet Microsoft has already equaled that number in 2010.

"It's only March and for the second time this year, Microsoft has released an out-of-band patch to address critical vulnerabilities in Internet Explorer," noted Andrew Storms, director of security at nCircle. "Let's hope this isn't the start of a bad trend for Microsoft in 2010."

The reaction to this latest off-cycle hotfix was mixed among other security pros. Some suggested that enterprise users should rely on other browsers as a replacement or backup to IE. Others praised Microsoft's speediness and the fact that privately reported vulnerabilities seem to lead to quicker response times.

"IT functions are being held hostage by the Windows operating systems and associated Microsoft applications, such as the IE browser," said Amrit Williams, CTO of BigFix. "We must look for alternatives or implement controls that can isolate or segment aspects of the computing environment."

Williams pointed IT administrators toward browser alternatives, such as Mozilla's Firefox and Google's Chrome, as well as "alternative computing paradigms," such as desktop virtualization, which can sandbox difficult-to-manage and highly targeted applications.

Microsoft's off-cycle patching efforts were seen in a more positive light by hacker and exploit guru H.D. Moore of software security firm Rapid 7.

"Microsoft's shift from reactive updates to proactive patching is a much more profound shift than it appears," said Moore, who is Rapid 7's chief security officer. "Patching the other nine issues early confirms that Microsoft factors public exploits in their own prioritization, which is a natural next step from their Exploitability Index."

Moore added that getting ahead of the game on the exploit code from a previous security advisory gave Microsoft an "early release vehicle for the other nine issues." He added that Microsoft's response "sends a strong message that they acknowledge the connection between browser security and the research community."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.